New Blog Post | The many lives of BlackCat ransomware

%3CLINGO-SUB%20id%3D%22lingo-sub-3501842%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20The%20many%20lives%20of%20BlackCat%20ransomware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3501842%22%20slang%3D%22en-US%22%3E%3CDIV%20id%3D%22tinyMceEditorAntonio_Alejandro_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22fig2-blackcat-attack-chain-via-exchange-vulnerability.png%22%20style%3D%22width%3A%20799px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22fig2-blackcat-attack-chain-via-exchange-vulnerability.png%22%20style%3D%22width%3A%20799px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F379908iD87B5B96765FB9F8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22fig2-blackcat-attack-chain-via-exchange-vulnerability.png%22%20alt%3D%22fig2-blackcat-attack-chain-via-exchange-vulnerability.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F06%2F13%2Fthe-many-lives-of-blackcat-ransomware%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EThe%20many%20lives%20of%20BlackCat%20ransomware%20-%20Microsoft%20Security%20Blog%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20BlackCat%20ransomware%2C%20also%20known%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.varonis.com%2Fblog%2Falphv-blackcat-ransomware%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EALPHV%3C%2FA%3E%2C%20is%20a%20prevalent%20threat%20and%20a%20prime%20example%20of%20the%20growing%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F09%2Fransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eransomware-as-a-service%20(RaaS)%20gig%20economy.%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIt%E2%80%99s%20noteworthy%20due%20to%20its%20unconventional%20programming%20language%20(Rust)%2C%20multiple%20target%20devices%20and%20possible%20entry%20points%2C%20and%20affiliation%20with%20prolific%20threat%20activity%20groups.%20While%20BlackCat%E2%80%99s%20arrival%20and%20execution%20vary%20based%20on%20the%20actors%20deploying%20it%2C%20the%20outcome%20is%20the%20same%E2%80%94%3CWBR%20%2F%3Etarget%20data%20is%20encrypted%2C%20exfiltrated%2C%20and%20used%20for%20%E2%80%9Cdouble%20extortion%2C%E2%80%9D%20where%20attackers%20threaten%20to%20release%20the%20stolen%20data%20to%20the%20public%20if%20the%20ransom%20isn%E2%80%99t%20paid.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EFirst%20observed%20in%20November%202021%2C%20BlackCat%20initially%20made%20headlines%20because%20it%20was%20one%20of%20the%20first%20ransomware%20families%20written%20in%20the%20Rust%20programming%20language.%20By%20using%20a%20modern%20language%20for%20its%20payload%2C%20this%20ransomware%20attempts%20to%20evade%20detection%2C%20especially%20by%20conventional%20security%20solutions%20that%20might%20still%20be%20catching%20up%20in%20their%20ability%20to%20analyze%20and%20parse%20binaries%20written%20in%20such%20language.%20BlackCat%20can%20also%20target%20multiple%20devices%20and%20operating%20systems.%20Microsoft%20has%20observed%20successful%20attacks%20against%20Windows%20and%20Linux%20devices%20and%20VMWare%20instances.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3501842%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
 

fig2-blackcat-attack-chain-via-exchange-vulnerability.png

The many lives of BlackCat ransomware - Microsoft Security Blog

 

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.

 

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.

 

0 Replies